One trillion phishing emails sent every year

Phishing remains one of the most useful tools in a cybercriminal’s arsenal as new research from Valimail has revealed that at least 3.4bn fake emails are sent out worldwide each day.

The firm’s latest quarterly report, Email Fraud Landscape for Spring 2019, shows that email impersonation accounting for 1.2 percent of all email sent during Q1 2019. While this is lower than the 1.6 percent rate that Valimail noted in Q2 2018, it still represents a huge amount of fake messages.

The firm used proprietary data from its analysis of billions of email message authentication requests along with publicly accessible DMARC and SPF records to compile its report.

CEO and co-founder of Valimail Alexander García-Tobar provided further insight on the findings of the report, saying:

“It remains clear that fake emails from hackers, phishers and other cyber criminals constitute the major source of cyberattacks. As more companies recognize and respond to email vulnerabilities, we expect to see organizations continue to deploy authentication technologies to protect against untrusted and fraudulent senders. The fact is that too many attackers are using impersonation to get through existing email defenses. A robust approach to sender identification and authentication is needed to make email more trustworthy, once and for all.”

Combating phishing with DMARC

Valimail’s report is not all bad news as the number of domains deploying DMARC to address the fake email problem continues to grow with more than 740,000 DMARC-enabled domains worldwide today.

The adoption of standards-based email authentication is accelerating in many industries though in some categories, such as the Fortune 500, US tech giants and the US federal government, DMARC usage is well over 50 percent.

While adoption may be up, Valimail found that enforcement still lags behind. Of the domains deploying DMARC, only around 20 percent have actually configured it to a policy of quarantine or reject which helps protect the domain from impersonation.

The firm also found that fewer than 10 percent of all companies have DMARC records with enforcement policies and only the US government and US tech giants have higher rates of protection at 72 percent and 24 percent of domains respectively.